Audience Question: Given the background check that is required for joining groups like InfraGard, how concerned should we be with the possibility that some of the open groups like MeetUp might be infiltrated for negative purposes?

Stacey Wright: There are definitely reasons why some groups do background checks — they're sharing more sensitive information. At MeetUp, HackerSpaces, and other groups you're going to run into all types of people. If you join these groups you’re going to get access to all kinds of information, not just what you’re interested in but also interesting people and information pointing you in the direction of other things you should be looking at. That's not to say don't join them though. I have done MeetUp and HackerSpaces, I know people involved in them. Just like everything else, 99% of the people involved are good, honest people who are just looking to get together and geek out.

Audience Question: What resource could you recommend to conduct an internal assessment especially since I don't have a technical background and likely couldn't answer any of the technical questions through the self-assessment?

Stacey Wright: Unfortunately, there’s no easy way to conduct an internal assessment if you don’t have a technical background. Basically, you’ll need to involve someone from the technical side or outsource that to a third party. That being said, if you don't feel that you can handle the technical assessments at this point, I would start reading the NIST Cybersecurity Framework. That will give you some questions you should be asking and that will start you down the road of an informal assessment as to where your agency is.

The NCSR, the Nationwide Cyber Security Assessment MS-ISAC runs, is also pretty high-level and meant for executives to answer with their IT staff. And I would say with that one, know that you can always reach out to MS-ISAC for help in understanding and answering the questions or figuring out what some of those questions mean. That's part of the reason MS-ISAC is here. We can help you translate tech into non-tech.

Audience Question: Can you recommend a resource for doing a post-attack forensic analysis?

Stacey Wright: I'm assuming you mean after you've got things up but you're looking to figure out what went wrong and why it went wrong so you can put further controls. If you're state or local government, then give us a call. We do that for free as part of our Computer Emergency Response Team services. We can take your log files, hard drive, whatever… and do the forensics for you and give you a report telling you what happened.

If you're not part of the SLTT government community, it's a little bit harder to do it. The NCCIC can also assist if you're in the federal government or critical infrastructure sectors. But there really aren't any non-paid resources available for that purpose for the general public. A lot of security forums will do it for you after the attack, but they will charge money. They may be able to help you with something similar too.

Myemail address is at the end of the webinar – please feel free to email me for your particular situation and let me see what I can find for you.

Audience Question: How much information sharing and collaboration is happening amongst national organizations such as the MS-ISAC, Secret Service, FBI, Infogard, etc.?

Stacey Wright: A ton. The MS-ISAC has people sitting on the NCCIC floor for this purpose, as do several other ISACs. We have MOUs with several of the federal agencies so we can work with them. The other ISACs have a similar setup, where we all work together throughout the day and we see each other’s reporting. The federal agencies work with each other all the time, too. Plus there are the automated indicator sharing platforms that use STIX/TAXII, like our Anomali feed, and DHS’ AIS. There is a lot of information going back and forth on a continual basis because in cybersecurity that's the only way to get anything really done.